Hacking My University: How I Found an IDOR Bug on Its Web Page

Whoami

Hello!
I’m Horus.sh, a first-year university student and part-time Bug Bounty Hunter with a deep passion for cybersecurity (mainly web). This is my first write-up on Medium:)

What is IDOR?

IDOR (Insecure Direct Object Reference) is a security vulnerability that occurs when a website or application lets a user access some sensitive data directly by changing a unique identifier (like a number, email, or ID) in the URL or request.

https://example.com/Forgoreset_password/email?=user@example.com

If the app doesn’t check whether the user is allowed to access that object, someone could exploit this to access or modify other people’s data.

My finding

When I watched movies about hackers, I was so excited. To young me, a hacker was equal to a genius. Naturally, I dreamed of becoming a part of this world. I imagined myself sitting in a black hoodie and hacking the Pentagon! Of course, it was more of a childhood dream.))

Jokes aside, let me introduce you to my finding.

My university has several web services: the main student portal, a news page, and an e-sport reservation system for booking gaming PCs. The last one is what I’m going to talk about.

While checking this web system, I navigated to the “Forgot Password” page and noticed something interesting. When I entered my email into the field, I received an email with a very intriguing password reset link. )

https://E-SportPageExample.com/.../.../.../forgottenPassword?email=ZXhhbXBsZUB0ZXN0LnRlc3Q=

I qwickly notice that this link could be vulnerable to IDOR. When I opened CyberChef and try to decode this bash64 string, I got my email in clear-text!

Then, I asked my roommate for his email and tried to change his password. After seeing the success message, I successfully logged into his account!

Conclusion

This bug doesn’t cause much damage, as this portal is only used to reserve gaming PCs. However, it could still be used to pranking on a gamer-friend. Emails aren’t a big goal, as I can find anyone’s email on the main web page.

Thanks for reading, and see you in my next write-up!